Successfully reported this slideshow.
Post Memory Corruption     Memory Analysis                  Jonathan Brossard               CEO – Toucan Systemjonathan@to...
Who am I ?- Security Research Engineer at Toucan System- Speaker at Blackhat, Defcon, HITB, H2HC,   Kiwicon... and Ruxcon ...
I dont reverse plain text
Regarding webapps...For webdev, XSS, CSS, Javacript ... ask  Jeremiah Grossman during Ruxcon ;)
Agenda   A few basics       Being environment aware        PMCMA Design       Extending Pmcma   •Stack desynchronization
Tool available at http://www.pmcma.org
We got 10k downloads+ in  2 less than months...(Note : Andrewg, thanks for your help,     you can stop your bot now...)
Whats pmcma ?Its a debugger, for Linux (maybe one day *NIX) ptrace() based.Pmcma allows to find and test exploitation scen...
Whats pmcma ?     DEMO
Coz you asked for it...
Remote stack overflow   automated exploitationNX/SSP (stack cookies)/ASLR/PIE/STATIC         GOT/Ascii Armoring...=> No pr...
DEMO
Now, lets move to the real           thing...
A FEW BASICS
Seriously, can we skip this         section ?
How do applications          crash ?* Stack corruptions -> stack overflows,  usually now detected because of SSP |  studie...
How do applications          crash ?* Stack corruptions -> stack overflows,  usually now detected because of SSP |  studie...
Invalid memory access- trying to read a page not readable.  often not mapped at all.- trying to write to a page not writab...
Why do they happen ?Because of any kind of miscomputation, really :- integer overflows in loop counters or destination reg...
Exploiting invalid exec     Trivial, really. Eg :           call eax with eax fully user controled
Invalid memory reads (1/2)               Eg :        CVE-2011-0761 (Perl)  cmp    BYTE PTR [ebx+0x8],0x9
Invalid memory reads (2/2)                 Eg :          CVE-2011-0764 (t1lib)    fld    QWORD PTR [eax+0x8]
Exploiting invalid memory           reads ?- usually plain not exploitable- wont allow us to modify the memory   of the ma...
Invalid memory writes              Eg :      CVE-2011-1824 (Opera)mov   DWORD PTR [ebx+edx*1],eax
How to...To exploit invalid writes, we need to find   ways to transform an arbitray write           into an arbitrary exec...
Exploiting invalid memory     writes : scenario- Target a known function pointer  (typically : .dtors, GOT entry...).Can b...
Being environment aware
Problems to take into           account- Kernel : ASLR ? NX ?- Compilation/linking : RELRO  (partial/full) ? no .dtors sec...
ASLRMajor problem when chosing an      exploitation strategy.
ASLR : not perfect- Prelinking (default on Fedora) breaks ASLR- All kernels dont have the same  randomization strength.- N...
Testing ASLR-Run a binary X times (say X=100)  -Stop execution after loading-Record mappings.   => Compare mappings, deduc...
DEMO : being environment aware
PMCMA DESIGN
GOALS- We want to test overwriting different  memory locations inside a process  and see if they have an influence over  t...
mk_fork()               The idea :-We start analysing after a SEGFAULT-We make the process fork() (many  many times)-Insid...
mk_fork() : benefitsMapping looks « just like » it will when     actually exploiting a binary No ASLR/mapping replication ...
How to force a process to            fork ?1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to inje...
Forking shellcode;forking shellcode:00000000 6631C0       xor eax,eax00000003 B002         mov al,0x200000005 CD80        ...
Offspring 2mk_fork()                             Executable                                      Writable                 ...
mk_fork()            Offspring 1            Executable            Writable            Executable                …
mk_fork()            Offspring 2            Executable            Writable            Executable                …
mk_fork()            Offspring n            Executable            Writable            Executable                …
mk_fork() : PROS- allows for multiple tests out of a single  process- fast, efficient (no recording of memory  snapshots)-...
mk_fork() : CONS- Dealing with offsprings termination ?  (Zombie processes)- I/O, IPC, network sockets will be in  unpredi...
Zombie reaping- Avoid the wait() for a SIGCHILD in the  parent process.- Kill processes after a given timeout,  including ...
Zombie reaping : the   SIGCHILD problemIf we can have the parent process ignore SIGCHILD signals, we wont          create ...
Zombie reaping : the       SIGCHILD problem1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to inje...
Force process grouping :                shellcode; Sigaction shellcode: // Zombie reaper; struct sigaction sa = {.sa_handl...
Zombie reaping : killingthe offsprings and their        childrenFortunatly, this is possible using     « process grouping ...
Process groupingsetpgid() sets the PGID of the process specified by pid to pgid. Ifpid is zero, then the process ID of the...
Zombie reaping : forcing      process grouping1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to i...
Force process grouping...;; setpgid(0,0); shellcode;_start:   nop   nop   nop   nop   mov eax,0x39 ; setpgid   xor ebx,ebx...
Zombie reaping :          final detailsFrom now on, to kill a process and all of  its children :           kill (-pid, SIG...
IPC, I/O, invalid syscallsOne possibility is to recode correct execution on the original process (after clearing signals a...
PMCMA : FEATURES
Exploiting invalid memorywrites via function pointersWe now want to find all the functionpointers called by the applicatio...
Finding all the function    pointers actually called1) Parse all the +W memory, look for possible  pointers to any section...
Finding all the function    pointers actually calledOverwritten pointer leads to execution of canari address 0xf1f2f3f4 <=...
Finding all the functionpointers actually called         DEMO
So what can we test now ? Invalid write anything anywhere : attacker has full control over datawritten and destination whe...
So what can we test now ?Overflows (in any writtable section but               the stack) : Simply limit the results of pm...
So what can we test now ?What if the attacker has little or no     control over the data beingwritten (arbitrary write non...
Partial overwrites and     pointers truncationIf we cant properly overwrite a function    pointer, maybe we can still trun...
Exemple :--[ Function pointers exploitable by truncation with 0x41424344:At 0xb70ce070 : 0xb70c63c2 will become 0xb70c4142...
One more situation...Sometimes, an attacker has limited control over the destination of the write (wether he controls the ...
Exploiting 4b aligned    memory writesWe cant attack a function pointerdirectly, unless it is unaligned (rare  because of ...
Exploiting 4b alignedmemory writes : plan BFind all « normal » variables we can overwrite/truncate, and attempt totrigger ...
Finding all unaligned     memory accesses  Setting the unaligned flag in theEFLAGS register will trigger a signal 7   uppo...
Finding all unaligned  memory accesses        DEMO
Finding all unaligned  memory accesses     DEMO x86_64
Defeating ASLR : Automated memory mapping leakageHow does WTFuzz did it at CansecWest  2010 to win the pwn2own contest    ...
Defeating ASLR with an      arbitrary write ?In the original process :- use ptrace() PTRACE_SYSCALL- record the calls to s...
Defeating ASLR with an      arbitrary write ?Create many offsprings using mk_fork().-In each of them : overwrite a differe...
Extending Pmcma
Means of modifying theflow of execution without    function pointers           Call tables.     Calling [Offset+register] ...
Pointers and ASLRIf overwritting a given function pointer   isnt practical because of ASLR : is it   possible to overwrite...
Finding pointers to structures containing function pointers        Executable       Writable (no       ASLR)          Exec...
Finding pointers to structures containing function pointers   Wed like to have the debugged process  create a new section,...
Forcing a process to create     a new mapping :1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to ...
;; old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, 0, 0) shellcode:;_start:          nop          nop...
Testing exhaustively   arbitrary writesIn case all of the above failed...Can we trigger secondary bugs by  overwritting sp...
Testing exhaustively    arbitrary writes       Complexity is huge !  Still doable with Pmcma, with noguaranty over the tim...
Testing exhaustively       arbitrary readsIn the same veine, attacker controled  invalid reads can trigger secondary     b...
Stack desynchronization       W^X is a problem.  Even if we can overwrite fully afunction pointer and modify the flow of e...
Stack desynchronizationInstead of returning directly to shellcode in  +W section (hence probably not +X) :-Return to a fun...
Stack desynchronization :      Exemple : sudo- stack is ~1000 big (at analysis time)- we find a function pointer to  overw...
Stack desynchronization :       Exemple : sudojonathan@blackbox:~$ objdump -Mintel -d    /usr/bin/sudo... 805277a:       8...
Stack desynchronization :     Exemple : sudoWe can control the destination where esp is going to point : simply use an    ...
Stack desynchronization :       Exemple : sudoWe then forge fake stack frames in the stack itself- « Nop sled » : any poin...
DEMOS
Future Work- port to more architectures (Linux  x86_64 on the way, arm...)- port to more OS (Mac OSX, *BSD)- port to Windo...
Thank you for coming    Questions ?
Upcoming SlideShare
Loading in …5
×

[Ruxcon 2011] Post Memory Corruption Memory Analysis

1,147 views

Published on

Exploit Automation with Post Memory Corruption Memory Analysis (PMCMA) talk as given at Ruxcon 2011.

  • Be the first to comment

[Ruxcon 2011] Post Memory Corruption Memory Analysis

  1. 1. Post Memory Corruption Memory Analysis Jonathan Brossard CEO – Toucan Systemjonathan@toucan-system.com
  2. 2. Who am I ?- Security Research Engineer at Toucan System- Speaker at Blackhat, Defcon, HITB, H2HC, Kiwicon... and Ruxcon :)- Organiser of the Hackito Ergo Sum conference (Paris).- Im the guy who comes to Ruxcon with 90+ slides...
  3. 3. I dont reverse plain text
  4. 4. Regarding webapps...For webdev, XSS, CSS, Javacript ... ask Jeremiah Grossman during Ruxcon ;)
  5. 5. Agenda A few basics Being environment aware PMCMA Design Extending Pmcma •Stack desynchronization
  6. 6. Tool available at http://www.pmcma.org
  7. 7. We got 10k downloads+ in 2 less than months...(Note : Andrewg, thanks for your help, you can stop your bot now...)
  8. 8. Whats pmcma ?Its a debugger, for Linux (maybe one day *NIX) ptrace() based.Pmcma allows to find and test exploitation scenarios.Pmcmas output is a roadmap to exploitation, not exploit code.Tells you if a given bug triggering an invalid memory access is a vulnerability, if it is exploitable with the state of the art, and how to exploit it.
  9. 9. Whats pmcma ? DEMO
  10. 10. Coz you asked for it...
  11. 11. Remote stack overflow automated exploitationNX/SSP (stack cookies)/ASLR/PIE/STATIC GOT/Ascii Armoring...=> No problem, easy cheesy : can be done with static analysis (of the libc/binary) only.
  12. 12. DEMO
  13. 13. Now, lets move to the real thing...
  14. 14. A FEW BASICS
  15. 15. Seriously, can we skip this section ?
  16. 16. How do applications crash ?* Stack corruptions -> stack overflows, usually now detected because of SSP | studied a LOT* Signal 6 -> assert(),abort(): unexpected execution paths (assert() in particular), heap corruptions* Segfault (Signal 11) -> Invalid memory access
  17. 17. How do applications crash ?* Stack corruptions -> stack overflows, usually now detected because of SSP | studied a LOT* Signal 6 -> assert(),abort(): unexpected execution paths (assert() in particular), heap corruptions* Segfault (Signal 11) -> Invalid memory access
  18. 18. Invalid memory access- trying to read a page not readable. often not mapped at all.- trying to write to a page not writable. often not mapped at all.- trying to execute a page not executable. often not mapped at all.
  19. 19. Why do they happen ?Because of any kind of miscomputation, really :- integer overflows in loop counters or destination registers when copying/initializing data, casting errors when extending registers or- uninitialised memory, dangling pointers- variable misuse- heap overflows (when inadvertently overwriting a function ptr)- missing format strings- overflows in heap, .data, .bss, or any other writable section (including shared libraries).- stack overflows when no stack cookies are present...
  20. 20. Exploiting invalid exec Trivial, really. Eg : call eax with eax fully user controled
  21. 21. Invalid memory reads (1/2) Eg : CVE-2011-0761 (Perl) cmp BYTE PTR [ebx+0x8],0x9
  22. 22. Invalid memory reads (2/2) Eg : CVE-2011-0764 (t1lib) fld QWORD PTR [eax+0x8]
  23. 23. Exploiting invalid memory reads ?- usually plain not exploitable- wont allow us to modify the memory of the mapping directly- in theory : we could perform a user controled read, to trigger a second (better) bug.
  24. 24. Invalid memory writes Eg : CVE-2011-1824 (Opera)mov DWORD PTR [ebx+edx*1],eax
  25. 25. How to...To exploit invalid writes, we need to find ways to transform an arbitray write into an arbitrary exec. The most obvious targets are function pointers.
  26. 26. Exploiting invalid memory writes : scenario- Target a known function pointer (typically : .dtors, GOT entry...).Can be prevented at compile time : no .dtors, static GOT...- Target function pointers in the whole binary ?- Overwrite a given location to trigger an other bug (eg : stack overflow)
  27. 27. Being environment aware
  28. 28. Problems to take into account- Kernel : ASLR ? NX ?- Compilation/linking : RELRO (partial/full) ? no .dtors section ? SSP ? FORTIFY_SOURCE ?=> Pmcma needs to mesure/detect those features
  29. 29. ASLRMajor problem when chosing an exploitation strategy.
  30. 30. ASLR : not perfect- Prelinking (default on Fedora) breaks ASLR- All kernels dont have the same randomization strength.- Non PIE binaries=> Truth is : we need better tools to test it !
  31. 31. Testing ASLR-Run a binary X times (say X=100) -Stop execution after loading-Record mappings. => Compare mappings, deduce randomization
  32. 32. DEMO : being environment aware
  33. 33. PMCMA DESIGN
  34. 34. GOALS- We want to test overwriting different memory locations inside a process and see if they have an influence over the flow of execution- We want to scale to big applications (web browsers, network deamons...)- We want a decent execution time
  35. 35. mk_fork() The idea :-We start analysing after a SEGFAULT-We make the process fork() (many many times)-Inside each offspring, we overwrite a different memory location
  36. 36. mk_fork() : benefitsMapping looks « just like » it will when actually exploiting a binary No ASLR/mapping replication problem Exhaustive and hopefully fast
  37. 37. How to force a process to fork ?1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to inject fork() shellcode.4) Modify registers so eip points to shellcode.5) Execute shellcode.6) Wait() for both original process and offspring.7) Restore bytes in both processes.8) Restore registers in both processes.
  38. 38. Forking shellcode;forking shellcode:00000000 6631C0 xor eax,eax00000003 B002 mov al,0x200000005 CD80 int 0x80
  39. 39. Offspring 2mk_fork() Executable Writable ExecutableOriginal process Offspring 1 … Executable Executable Writable Writable Executable Executable … …
  40. 40. mk_fork() Offspring 1 Executable Writable Executable …
  41. 41. mk_fork() Offspring 2 Executable Writable Executable …
  42. 42. mk_fork() Offspring n Executable Writable Executable …
  43. 43. mk_fork() : PROS- allows for multiple tests out of a single process- fast, efficient (no recording of memory snapshots)- no need to use breakpoints- no single stepping
  44. 44. mk_fork() : CONS- Dealing with offsprings termination ? (Zombie processes)- I/O, IPC, network sockets will be in unpredictable state- Hence syscalls will get wrong too (!!)
  45. 45. Zombie reaping- Avoid the wait() for a SIGCHILD in the parent process.- Kill processes after a given timeout, including all of their children.
  46. 46. Zombie reaping : the SIGCHILD problemIf we can have the parent process ignore SIGCHILD signals, we wont create Zombies.=> We inject a small shellcode to perform this via sigaction()
  47. 47. Zombie reaping : the SIGCHILD problem1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to inject sigaction() shellcode.4) Modify registers so eip points to shellcode.5) Execute shellcode.6) Wait() for the process while executing shellcode.7) Restore bytes in +X location.8) Restore registers in the process.
  48. 48. Force process grouping : shellcode; Sigaction shellcode: // Zombie reaper; struct sigaction sa = {.sa_handler = SIG_IGN};; sigaction(SIGCHLD, &sa, NULL);_start: nop nop nop nop call fakefake: pop ecx add ecx,0x18 ; delta to sigaction structure xor eax,eax mov al,0x43 ; sigaction mov ebx,0x11 ; SIGCHLD xor edx,edx ; 0x00 int 0x80 db 0xcc, 0xcc,0xcc,0xcc; struct sigaction sa = {.sa_handler = SIG_IGN}; db 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
  49. 49. Zombie reaping : killingthe offsprings and their childrenFortunatly, this is possible using « process grouping »...
  50. 50. Process groupingsetpgid() sets the PGID of the process specified by pid to pgid. Ifpid is zero, then the process ID of the calling process is used. Ifpgid is zero, then the PGID of the process specified by pid is made thesame as its process ID. If setpgid() is used to move a process fromone process group to another (as is done by some shells when creatingpipelines), both process groups must be part of the same session (seesetsid(2) and credentials(7)). In this case, the pgid specifies anexisting process group to be joined and the session ID of that groupmust match the session ID of the joining process.
  51. 51. Zombie reaping : forcing process grouping1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to inject setpgid() shellcode.4) Modify registers so eip points to shellcode.5) Execute shellcode.6) Wait() for the process while executing shellcode.7) Restore bytes in +X location.8) Restore registers in the process.
  52. 52. Force process grouping...;; setpgid(0,0); shellcode;_start: nop nop nop nop mov eax,0x39 ; setpgid xor ebx,ebx xor ecx,ecx int 0x80 db 0xcc, 0xcc
  53. 53. Zombie reaping : final detailsFrom now on, to kill a process and all of its children : kill (-pid, SIGTERM) ;
  54. 54. IPC, I/O, invalid syscallsOne possibility is to recode correct execution on the original process (after clearing signals and ignoring the SEGFAULT).Then replay/fake the syscalls on the offsprings.=> Minimal userland « virtualization ».
  55. 55. PMCMA : FEATURES
  56. 56. Exploiting invalid memorywrites via function pointersWe now want to find all the functionpointers called by the application from the instruction which triggered the SEGFAULT until it actually halts.(including pointers in shared libraries!!)
  57. 57. Finding all the function pointers actually called1) Parse all the +W memory, look for possible pointers to any section1 bis) optionally disassemble the destination and see if it is a proper prologue.2) use mk_fork() to create many children3) in each children, overwrite a different possible function pointer with a canari value (0xf1f2f3f4).4) Monitor execution of the offsprings
  58. 58. Finding all the function pointers actually calledOverwritten pointer leads to execution of canari address 0xf1f2f3f4 <=> We found a called function pointer.
  59. 59. Finding all the functionpointers actually called DEMO
  60. 60. So what can we test now ? Invalid write anything anywhere : attacker has full control over datawritten and destination where written => GAME OVER
  61. 61. So what can we test now ?Overflows (in any writtable section but the stack) : Simply limit the results of pmcma to this section.
  62. 62. So what can we test now ?What if the attacker has little or no control over the data beingwritten (arbitrary write non controled data, anywhere) ?
  63. 63. Partial overwrites and pointers truncationIf we cant properly overwrite a function pointer, maybe we can still truncate one (with the data we dont control) so that it transfers execution to a controled memory zone ?
  64. 64. Exemple :--[ Function pointers exploitable by truncation with 0x41424344:At 0xb70ce070 : 0xb70c63c2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW)At 0xb70e40a4 : 0xb70ca8f2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW)At 0xb70ec080 : 0xb70e5e02 will become 0xb70e4142 (lower truncated by 16 bits, dest perms:RW)At 0xb731a030 : 0xb7315da2 will become 0xb7314142 (lower truncated by 16 bits, dest perms:RW)At 0xb73230a4 : 0xb732003a will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)At 0xb732803c : 0xb7325a36 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)At 0xb76a80d8 : 0xb7325bf0 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
  65. 65. One more situation...Sometimes, an attacker has limited control over the destination of the write (wether he controls the data being written or not). Eg : 4b aligned memory writes.
  66. 66. Exploiting 4b aligned memory writesWe cant attack a function pointerdirectly, unless it is unaligned (rare because of compiler internals).Pmcma will still let you know if this happens ;)
  67. 67. Exploiting 4b alignedmemory writes : plan BFind all « normal » variables we can overwrite/truncate, and attempt totrigger a second bug because of this overwrite.
  68. 68. Finding all unaligned memory accesses Setting the unaligned flag in theEFLAGS register will trigger a signal 7 uppon next access of unaligned memory (read/write).
  69. 69. Finding all unaligned memory accesses DEMO
  70. 70. Finding all unaligned memory accesses DEMO x86_64
  71. 71. Defeating ASLR : Automated memory mapping leakageHow does WTFuzz did it at CansecWest 2010 to win the pwn2own contest against IE8/Windows 7 ? Overwrite the null terminator of a JS string to perform a mem leak uppon usage (trailing bytes).
  72. 72. Defeating ASLR with an arbitrary write ?In the original process :- use ptrace() PTRACE_SYSCALL- record the calls to sys_write() and sys_socketall() (wrapper to sys_send() or sys_sendto()...), including : where is the data sent ? How many bytes ?
  73. 73. Defeating ASLR with an arbitrary write ?Create many offsprings using mk_fork().-In each of them : overwrite a different location with dummy data.-Follow execution using PTRACE_SYSCALL-Monitor differences : a different address or a bigger size means a memory leak :)
  74. 74. Extending Pmcma
  75. 75. Means of modifying theflow of execution without function pointers Call tables. Calling [Offset+register] => This is also already performed automatically using pmcma.
  76. 76. Pointers and ASLRIf overwritting a given function pointer isnt practical because of ASLR : is it possible to overwrite a pointer (in an other section) to a structure containing this function pointer ? Would this « other section » be less randomised ?
  77. 77. Finding pointers to structures containing function pointers Executable Writable (no ASLR) Executable Writable (high Complex structure ASLR) … Executable void* f(a,b,c) …
  78. 78. Finding pointers to structures containing function pointers Wed like to have the debugged process create a new section, with a given mapping (to ease identify). Modify a possible pointer per offspring (use mk_fork()). Monitor execution : is the offspring calling a function pointer from our custom mapping ?
  79. 79. Forcing a process to create a new mapping :1) Find a +X location mapped in memory.2) Save registers3) Use ptrace() to inject mmap() shellcode.4) Modify registers so eip points to shellcode.5) Execute shellcode.6) Wait() for the process while executing shellcode.7) Restore bytes in +X location.8) Restore registers in the process.
  80. 80. ;; old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, 0, 0) shellcode:;_start: nop nop nop nop xor eax, eax xor ebx, ebx xor ecx, ecx xor edx, edx xor esi, esi xor edi, edi mov bx, 0x1000 ; 1 page mov cl, 0x3 ; PROT_READ|PROT_WRITE mov dl, 0x21 ; MAP_SHARED|MAP_ANON push eax push eax push edx push ecx push ebx push eax mov ebx, esp mov al, 0x5a ; sys_mmap int 0x80 ; eax contains address of new mapping db 0xcc, 0xcc, 0xcc, 0xcc
  81. 81. Testing exhaustively arbitrary writesIn case all of the above failed...Can we trigger secondary bugs by overwritting specific memory locations ?
  82. 82. Testing exhaustively arbitrary writes Complexity is huge ! Still doable with Pmcma, with noguaranty over the time of execution.
  83. 83. Testing exhaustively arbitrary readsIn the same veine, attacker controled invalid reads can trigger secondary bugs, which will be exploitable.=> We can test the whole 4+ billions search space (under x86 Intel architecture), or just a few evenly chosen ones.
  84. 84. Stack desynchronization W^X is a problem. Even if we can overwrite fully afunction pointer and modify the flow of execution... what do we want to execute in 2011 ?
  85. 85. Stack desynchronizationInstead of returning directly to shellcode in +W section (hence probably not +X) :-Return to a function epilogue chosen so that esp will be set to user controled data in the stack.- Fake stack frames in the stack itself.- Use your favorite ROP/ret2plt shellcode
  86. 86. Stack desynchronization : Exemple : sudo- stack is ~1000 big (at analysis time)- we find a function pointer to overwrite (at 0x0806700c)- we overwrite it with a carefully chosen prologue (inc esp by more than 1000)
  87. 87. Stack desynchronization : Exemple : sudojonathan@blackbox:~$ objdump -Mintel -d /usr/bin/sudo... 805277a: 81 c4 20 20 00 00 add esp,0x2020 8052780: 5b pop ebx 8052781: 5e pop esi 8052782: 5d pop ebp 8052783: c3 ret
  88. 88. Stack desynchronization : Exemple : sudoWe can control the destination where esp is going to point : simply use an environment variable TOTO=mydata sudo
  89. 89. Stack desynchronization : Exemple : sudoWe then forge fake stack frames in the stack itself- « Nop sled » : any pointer to retEg :804997b: c3 ret- Then copy shellcode to .bss byte per byte using memcpy via ret2plt- Use GOT overwrite to get pointer to mprotect() in the GOT (ROP)- call mprotect to make .bss +X via ret2plt- return to shellcode in .bss
  90. 90. DEMOS
  91. 91. Future Work- port to more architectures (Linux x86_64 on the way, arm...)- port to more OS (Mac OSX, *BSD)- port to Windows (hard)- add tests for other bug classes
  92. 92. Thank you for coming Questions ?

×